Tips to Avoid Phishing Attacks and Social Engineering

Are you a trusting person? When dealing with people you don't know, don't give them sensitive information unless you're sure who they are, and can prove that they are who they say they are. You'll want to ask yourself if they should have access to the information.

What is a social engineering attack?

To launch a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about a company (your financial institution) or its computer systems. The attacker can look like anyone, and could fool you by saying they're a repairman, or a new intern or employee, and they could actually have identification that says they work for your institution. They'll try to gain your confidence, by asking questions, they may be able to piece together enough information to infiltrate your institution's network. If an attacker is not able to gather enough information from one source, they will try to contact another person in the institution and give the information gleaned from the first person they talked to (you) to add to their credibility and story.

What is phishing?

Phishing is a form of social engineering. Phishing attacks use email or malicious web sites to solicit personal, often financial, information. Attackers may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

How to avoid getting hooked?

Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.

Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.

Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

Don't send sensitive information over the Internet before checking a web site's security. Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group: www.antiphishing.org.

Install and maintain anti-virus software, firewalls, and email filters to reduce these types of emails.

If You Think You've Fallen Victim

Should you think you may have revealed sensitive information about your institutions or customers, report it immediately to your manager and the information security department at your institution. They can alert the right people to monitor for any suspicious or unusual activity.

If you believe your banking or credit accounts may have been phished, contact your financial institution or the credit card company right away and close any accounts that may have been compromised. Monitor your accounts carefully, and look for unexplainable charges to your account.

You may want to report the phishing attack to your local police, and file a report with the Federal Trade Commission: www.ftc.gov.


About the Author




Around the Network